Cyber criminals are constantly changing their tactics and just as the security industry seems to have dealt with the latest threat, something new emerges.
Ransomware attacks were the big thing in 2017, while cryptomining malware became popular with crooks trying to make a quick buck throughout 2018. Both of these are still a threat, plus the tried-and-testing menaces of malware, phishing and hacking, which have continued to plague organisations across the globe.
But one trend this year is that cybercrime is getting more personal. While targeted attacks against particular types of companies or groups of people was once something associated with high-end state-backed hacking operations, now less sophisticated cybercrime groups are using the same tactics.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
"E-crime is slowly shifting from a maximum hits paradigm to maximum accuracy. Some groups are getting very picky about their targets, they really try to pinpoint the right demographics," says Assaf Dahan, head of threat research at Cybereason.
There's a key factor driving this: money. If attackers can steal the right data, or hold the right systems hostage for a ransom, they can make a bigger profit than they can just by going after the general population.
Self-preservation is another factor: for crooks who want to ensure they and their attacks have the best chance of remaining hidden, they won't spam malware out across the world. They're more likely to stay under the police radar if they choose to go after a small cluster of targets, or even just a single large entity.
"If I were to develop a malware that's very focused on stealing financial data from British banks, why would I bother infecting people in Bolivia or China? The more it's proliferated, the greater the risk that it'll get caught," says Dahan.
While many cyber criminal groups are still noisy and focused on short-term profit, some are now conducting surveillance to ensure they hit the right targets.
"The blurred lines between the techniques used by nation-state actors and those used by criminal actors have really gotten a lot fuzzier," says Jen Ayers, vice president of OverWatch cyber intrusion detection and security response at CrowdStrike.
"Many criminal organisations are still very loud, but the fact is rather than going the traditional spam email route that they have been before, they are actively intruding onto enterprise networks, they are targeting unsecured web servers and going in, stealing credentials and doing reconnaissance," she adds.
This is another tactic which malicious threat actors are beginning to deploy in order to both avoid detection and make attacks more effective – conducting campaigns that don't focus on Windows PCs and other common devices used in the enterprise.
With these devices sitting in front of users every single day, and a top priority for antivirus software, there's a higher chance that an attack on these devices will either be prevented by security measures or spotted by users.
However, if attackers can get directly into the backend of an organisation and directly compromise servers, they could stay hidden for months or even years without being noticed if they're careful. Therefore, attackers with a focus on stealth are increasingly turning towards this option.
"We're seeing a shift away from attacks on endpoints to attacks on servers," says Chet Wisniewski, principal research scientist at Sophos, who argues that servers are often more vulnerable to hackers than endpoints are.
"Servers don't have nearly the same protections in place that desktops do. The same company that tells me they do 'Patch Tuesday' within 10 days for desktops will tell me its 90 days for server," he explains, adding: "Those servers are glaring weak-spots in our strategy currently and the criminals are going straight for it."
Encrypting some PCs might be painful, but hitting the servers that a whole company relies on could hurt a lot more.
"We've had customers impacted by these attacks in the last month who've been hit by more than a million-dollar ransoms. Why try to grab pennies ransoming grandma's laptop if you can hit one company, lock up eight servers and walk away with a million dollars?" says Wisniewski.
The campaigns are working because, in many cases, the victim decides to give in to the ransom. Meanwhile, those who don't pay can find they end up spending far more than the cost of the ransom of cleaning up the mess it has made.
For example, the city of Baltimore was hit by a demand for around $76,000 in bitcoin and refused to pay the criminals – it's estimated the decision not to pay has had a financial impact of over $18m.
The vast majority of organisations – if not all – will be employing some sort of security software to help protect against attacks. Often this software will use artificial intelligence and machine learning to help protect users against both known and unknown threats.
For now, that technology remains firmly in the hands of the cybersecurity industry, but it might not be much longer before cybercriminals gain access and start exploiting it to conduct attacks.
"Attacks using machine learning are totally possible – it's easy to imagine programs that will modify their own code to evade detection and learn how they get detected and how they don't," says Mikko Hyppönen, chief research officer at F-Secure.
"When it becomes easy enough, when the barriers to entry are low enough, it's going to start happening."
Fortunately there's currently a shortage of staff who have the necessary skills required to work in AI and machine learning – so anyone who has those abilities can easily make a good living for themselves by working for the good guys.
"There aren't enough people in the world who are experts in machine learning. If you're an expert in this field, you don't have to go into a life of crime because you'll find a great company who'll pay you a great salary and fly you around the world," Hyppönen explains.
Still, there was a time when cybercrime was limited to those with the skills to build and distribute malware. Now, almost anyone with knowledge of how to access dark web forums could potentially get involved, thanks to the way conducting attacks has become commercialised.
SEE: 10 tips for new cybersecurity pros (free PDF)
Wannabe attackers with virtually no experience of deploying malware can buy a kit for just a few dollars and take it from there. Hyppönen believes that the use of malicious AI will follow a similar path.
"Things are getting easier and easier to use. Eventually systems will become so easy to use that any idiot will be able to use them – and that's when we'll see attacks using machine learning," he says. "This might be just a year away, we'll see, but it's not very far."
This could create new challenges for cybersecurity, but it's likely that as with the majority of cyberattacks which target organisations, they can be prevented by employing good security practices.
These include making sure software and applications are patched and this is done so within the shortest timeframe possible: because if software companies – and in some cases, governments – warn you to apply a security patch, there's a reason to do so.
Unfortunately, many organisations go far too long without applying patches to security vulnerabilities, leaving them open to attacks – both new and old – that should be easily prevented.
"These guys are looking for the low-hanging fruit. If you're not the low-hanging fruit, you're far less likely to be compromised," says Wisniewski.
MORE ON CYBERCRIME